Community discussions

MikroTik App
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Help DNS approach to Faster Browsing

Thu Nov 07, 2024 3:10 pm

Good morning,

I'm new to mikrotik and would ask for your help!!!

My ISP provides trough fiber - 1000mb down/ 400mb up.

I have RB5009 router and I have 2 tp-link omada access points configured as stand-alone only with 5ghz ssid enable. I've done several tests with my laptop, mobile phone and tablet and the speed test is always around 880/920 down 350/380 up

Most of my clients complain that when browsing the internet it takes a long time to download pages etc...

I have setup a fasttrack to tcp and udp 53 port in the firewall, but I don't know if it helps.

Can you please help if it's a DNS approach that it's not allowing the clients to have a faster browsing?

Do I need to setup and host a dns server my self?
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WRX560
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] comment="Management port" poe-out=off
set [ find default-name=ether8 ] name=ether8-WAN poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-switch
/interface wireguard
add listen-port=31231 mtu=1420 name=wireguard-casa
/interface vlan
add interface=bridge name=bridge.110 vlan-id=110
add interface=bridge name=bridge.192 vlan-id=192
/ip pool
add name=pool.192 ranges=192.168.27.2-192.168.27.254
add name=pool.110 ranges=10.80.81.2-10.80.81.254
/ip dhcp-server
add address-pool=pool.192 interface=bridge.192 lease-time=1d name=dhcp.192
add address-pool=pool.110 interface=bridge.110 lease-time=1d name=dhcp.110
/queue type
add cake-flowmode=dual-dsthost cake-nat=yes kind=cake name=cake-download
add cake-flowmode=dual-srchost cake-nat=yes kind=cake name=cake-upload
/queue tree
add bucket-size=0.01 max-limit=950M name=download packet-mark=no-mark parent=\
    bridge.110 queue=cake-download
add bucket-size=0.01 max-limit=400M name=upload packet-mark=no-mark parent=\
    ether8-WAN queue=cake-upload
/interface bridge port
add bridge=bridge interface=ether1-WRX560 pvid=110
add bridge=bridge interface=ether2 pvid=110
add bridge=bridge interface=ether3 pvid=110
add bridge=bridge interface=sfp-sfpplus1-switch pvid=110
add bridge=bridge interface=ether4 pvid=110
add bridge=bridge interface=ether5 pvid=110
add bridge=bridge interface=ether6 pvid=110
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-WRX560,sfp-sfpplus1-switch vlan-ids=\
    192
add bridge=bridge tagged=bridge vlan-ids=110
/ip address
add address=10.80.81.1/24 interface=bridge.110 network=10.80.81.0
add address=192.168.27.1/24 interface=bridge.192 network=192.168.27.0
add address=172.21.1.1/24 interface=ether7 network=172.21.1.0
add address=10.6.14.1/24 interface=wireguard-casa network=10.6.14.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether8-WAN
/ip dhcp-server network
add address=10.80.81.0/24 dns-server=10.80.81.1 gateway=10.80.81.1
add address=192.168.27.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.27.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.80.81.0/24 list="rede suporte"
add address=astoo.synology.me list="rede suporte"
/ip firewall filter
add action=drop chain=forward connection-state=new dst-address=10.80.81.0/24 \
    src-address=192.168.27.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=31231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.6.14.0/24
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list="rede suporte"
add action=accept chain=input limit=50,5:packet protocol=icmp
add action=add-src-to-address-list address-list="rede suporte" \
    address-list-timeout=5h chain=input dst-port=1981 protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="Fasttrack TCP" \
    dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack UDP" \
    dst-port=53 hw-offload=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN
add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=\
    10.80.81.3 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 protocol=tcp to-addresses=\
    10.80.81.4 to-ports=8000
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    10.80.81.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    10.80.81.5 to-ports=8001
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    10.80.81.5 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/system ntp client
set enabled=yes
Last edited by Nexius on Thu Nov 07, 2024 3:23 pm, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 2626
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 3:23 pm

Is DNS the problem? Did you do a proper analyses on why it takes a long time?

In such a case I like to use the Developer Tools (F12) which can give you a good indication on where the problem is.

From your config:
/ip dhcp-client
add interface=ether8-WAN
You can expand that with use-peer-dns=no to make sure only the /ip dns configured DNS servers are used.
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 4:29 pm

Is DNS the problem? Did you do a proper analyses on why it takes a long time?

In such a case I like to use the Developer Tools (F12) which can give you a good indication on where the problem is.

From your config:
/ip dhcp-client
add interface=ether8-WAN
You can expand that with use-peer-dns=no to make sure only the /ip dns configured DNS servers are used.
ok, I have set

/ip dhcp-client add interface=ether8-WAN use-peer-dns=no

can you specify with developer tools (f12) you mean?
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 5:21 pm

Web Browser
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1550
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 6:26 pm

If you are an ISP ...
Using external DNS servers ( such as in your case 1.1.1.1 & 8.8.8.8 ) might not deliver fast/quick DNS results.

Some issues/problems when using any external ( not yours ) may include some or all of the following potential problems :
- Network propagation delays ; The time and hops it takes for a client on your network to make a DNS request and have that DNS request traverse your networks , through any of your firewalls & routers , then out through your Internet connection , then out through your upstream ISPs Internet connection , then through the Internet BGP routers , then finally the DNS request making it to an external DNS server.
- After an external DNS server receives your clients DNS query , that server could be very busy processing other DNS queries ( tens-of-thousands + ) which can delay that external DNS server and the time it takes to generate/send the answer to your clients DNS request.
- Packets sent from an external DNS server back to your customer's DNS query may experience similar delays/propagation delays as the returned DNS answer traverses from it's location , through all the Internet BGP servers , through your ISPs upstream Internet connection , through your Internet connection , then through your clients firewalls/routers and finally to the original computer that made the DNS request.

As is ISP with thousands of customers , I never assign any of my clients external off-site DNS servers. It is just way toooo slow to get results.
I maintain my own dedicated Linux BIND DNS servers. My DNS servers respond to my customer DNS queries very quickly , mostly because there my DNS servers are very close to my customers - very little propagation delay - and my DNS servers are not also processing tens-of-thousands of DNS queries from other locations out on the Internet. Typical customer ping time to my DNS servers is always under 5-ms or quicker.

North Idaho Tom Jones
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 6:32 pm

If you are an ISP ...
Using external DNS servers ( such as in your case 1.1.1.1 & 8.8.8.8 ) might not deliver fast/quick DNS results.

Some issues/problems when using any external ( not yours ) may include some or all of the following potential problems :
- Network propagation delays ; The time and hops it takes for a client on your network to make a DNS request and have that DNS request traverse your networks , through any of your firewalls & routers , then out through your Internet connection , then out through your upstream ISPs Internet connection , then through the Internet BGP routers , then finally the DNS request making it to an external DNS server.
- After an external DNS server receives your clients DNS query , that server could be very busy processing other DNS queries ( tens-of-thousands + ) which can delay that external DNS server and the time it takes to generate/send the answer to your clients DNS request.
- Packets sent from an external DNS server back to your customer's DNS query may experience similar delays/propagation delays as the returned DNS answer traverses from it's location , through all the Internet BGP servers , through your ISPs upstream Internet connection , through your Internet connection , then through your clients firewalls/routers and finally to the original computer that made the DNS request.

As is ISP with thousands of customers , I never assign any of my clients external off-site DNS servers. It is just way toooo slow to get results.
I maintain my own dedicated Linux BIND DNS servers. My DNS servers respond to my customer DNS queries very quickly , mostly because there my DNS servers are very close to my customers - very little propagation delay - and my DNS servers are not also processing tens-of-thousands of DNS queries from other locations out on the Internet. Typical customer ping time to my DNS servers is always under 5-ms or quicker.

North Idaho Tom Jones

Thank you very much for your very detailed answer! Actually, one of the things I would like to do in an rb5009 it's to install container (with SSD connected via USB) was to install a bind9 DNS server, but I'm very afraid, because the tutorials I saw don't detail installation in a container, but rather, on a normal linux server...
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 6:47 pm

First, I would not distribute external DNS down to clients:

So instead of
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.27.1
use
/ip dhcp-server network set [find gateway=192.168.27.1] dns-server=192.168.27.1
 
Why even use 3rd party DNS? Is there something special about Cloudflare or Google DNS? I don't think so. Use the DNS provided by your ISP instead. Or do you misstrust your ISP? If not, then just unset it.
/ip dns set servers=""
/ip dhcp-client set [find interface=ether8-WAN] use-peer-dns=yes
 
apestalménos1
just joined
Posts: 20
Joined: Mon Jun 05, 2023 5:59 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:03 pm

I maintain my own dedicated Linux BIND DNS servers.
North Idaho Tom Jones
Are these servers authoritative?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:07 pm

I maintain my own dedicated Linux BIND DNS servers.
North Idaho Tom Jones
Are these servers authoritative?
Authoritativity of servers depends on whether they are declared (by SOA and NS records) as such for certain domain(s). All other servers are caching servers. Like DNS server at 8.8.8.8 is caching server for mikrotik.com ... and servers of @TomjNorthIdaho are exactly the same in tthis respect.
 
apestalménos1
just joined
Posts: 20
Joined: Mon Jun 05, 2023 5:59 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:14 pm

Authoritativity of servers depends on whether they are declared (by SOA and NS records) as such for certain domain(s). All other servers are caching servers. Like DNS server at 8.8.8.8 is caching server for mikrotik.com ... and servers of @TomjNorthIdaho are exactly the same in tthis respect.
So a query that isn't already cached must leave his network and the response time will be slower. I'm curious about the 5ms response time.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:38 pm

Authoritativity of servers depends on whether they are declared (by SOA and NS records) as such for certain domain(s). All other servers are caching servers. Like DNS server at 8.8.8.8 is caching server for mikrotik.com ... and servers of @TomjNorthIdaho are exactly the same in tthis respect.
So a query that isn't already cached must leave his network and the response time will be slower. I'm curious about the 5ms response time.
Yes. But if he has many clients using his caching servers, chance is that answer is cached already. If it's not, then answer to your query will be cached and ready for another user asking same question. So some queries will go out to the wild, possibly traversing all DNS hierarchy from the root servers down, but not all. And, BTW, also google or cloudflare servers have to do the same traversal and it may take them the same amount of time. The only difference is that they have many more users so chance of having answer already cached is statistically higher ... unless you are resolving some local domains in which case it's more likely that ISP's caching server will have answer cached.
 
apestalménos1
just joined
Posts: 20
Joined: Mon Jun 05, 2023 5:59 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:43 pm

Yes. But if he has many clients using his caching servers, chance is that answer is cached already. If it's not, then answer to your query will be cached and ready fir anotger user asking same question. So some queries will go out to the wild, possibly traversing all DNS hierarchy from the root servers down, but not all. And, BTW, also google or cloudflare servers have to do the same.
Got it. I'm running two DNS servers which have a reponse time of 0ms for cached stuff. I was hoping for a magic bullet for the un-cached queries. Thanks for the responses.
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:55 pm

any help to setup my own dns server?
 
apestalménos1
just joined
Posts: 20
Joined: Mon Jun 05, 2023 5:59 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:58 pm

any help to setup my own dns server?
How many clients(computers) do you hope to serve?
 
erlinden
Forum Guru
Forum Guru
Posts: 2626
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 7:59 pm

any help to setup my own dns server?
Please first confirm your problem, is it DNS?
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:00 pm

any help to setup my own dns server?
How many clients(computers) do you hope to serve?
around 50/60
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:01 pm

any help to setup my own dns server?
Please first confirm your problem, is it DNS?
at the moment, I can't confirm that is DNS or not, but anyway, I would like to setup my own dns server
 
erlinden
Forum Guru
Forum Guru
Posts: 2626
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:03 pm

What is the exact purpose of running your own DNS server?
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:14 pm

To be exact, why is need for running own recursive DNS (no need for upstream)? ROS DNS server is functional DNS server but needs upstream DNS.
 
Nexius
newbie
Topic Author
Posts: 42
Joined: Tue Mar 03, 2015 12:24 am

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:16 pm

What is the exact purpose of running your own DNS server?
IMHO, to delivery fast queries to my clients...
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:18 pm

For such purpose ROS DNS server is quite enough. You can download DNS Benchmark application and check your DNS performance comparing with other public.
If you confirm that you actually have DNS resolving latency, it could be issue with network latency when network is loaded which affects querying upstream DNS, this can be resolved with QoS and prioritizing DNS traffic.
 
apestalménos1
just joined
Posts: 20
Joined: Mon Jun 05, 2023 5:59 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:34 pm

Inexpensive PC server running unbound or bind.
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Help DNS approach to Faster Browsing

Thu Nov 07, 2024 8:46 pm

Check if DNS latency is actual issue on clients regardless which DNS is used...
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1550
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Help DNS approach to Faster Browsing

Wed Nov 20, 2024 3:23 am

kind of a head-up on how I run my BIND9 DNS servers.

I have qty 1 LAB Live-IP authoritative DNS server

I have qty 2 Live-IP authoritative DNS server ( aka normal DNS servers )

I have qty 2 authoritative/caching DNS server behind a firewall that all/most of my customers use - ( the Internet can not open connections to these DNS servers but they can get out). These two DNS servers are semi-immune from Internet denial-of-service /network scanning attacks.

All my DNS servers are dual-stack ( IPv4 and IPv6 ) and have 256-Gig or up-to a full Terra-Byte of RAM for large cache.

I started doing DNS servers this way 30+ years ago and stick with it because it just always works well and customer DNS queries are always fast ( especially after DNS cache has populated in 30-minutes or so from about 3k+ customers DNS requests ).

This helps all of my Mikrotik CPE based customers get to Internet sites faster ( less DNS lookup time ).

Speaking of cache --- another subject but sticking to the topic of "approach to Faster Browsing" --- Do any ISPs still use squid proxy/cache servers ? I used to use them 20 years ago and thinking about doing it again as an option to my customers. ((( with these , your ISP could be on a saturated 56-k Internet feed and/or the remote web site on a saturated 56-k Internet feed, and squid would still deliver cached web pages at full network speeds after they are cached. ))). I have 10-Gig BGP feeds into 100-Gig switches. I'm thinking with squid cached web pages ( on a 30-to-300-TiB disk with about 1-TB RAM for squid cache ) , I should be able to make even sloooow connected web sites ( that are cached ) pop-up at near 100-Gig network speeds. (( Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more ... )) , anybody still doing squid servers ?

North Idaho Tom Jones
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help DNS approach to Faster Browsing

Wed Nov 20, 2024 9:31 am

Do any ISPs still use squid proxy/cache servers ?

Can't speak about ISPs, but in my company (with a few remote offices) we're forced to use proxy server (squid) for remote offices to be able to exit to internet (the connection between remote offices and main office is over some MAN which offers their own internet breakout but due to their policies, our remote offices can't really use it).

However, in age of "everything over https", squid doesn't cache anything ... because clients (browsers) request connection from proxy (rather than a resource if using plain http). Which means that proxy doesn't really see contents of the request and thus can't cache it. Configuring proxy to work over SSL doesn't change it, it only secures communication between client (browser) and proxy ... which is important if using proxy requires authentication.
 
User avatar
Lokamaya
Member Candidate
Member Candidate
Posts: 101
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Help DNS approach to Faster Browsing

Fri Nov 22, 2024 8:42 am

Why do you have specified forward-fasttract for tcp/udp on port 53 only? I don's see any need for it, because all dhcp dns-server pointing to the router. And I think it is better to move forward/drop to the last row of the firewall filter.
...
/ip firewall filter
add action=drop chain=forward connection-state=new dst-address=10.80.81.0/24 \
    src-address=192.168.27.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=31231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.6.14.0/24
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list="rede suporte"
add action=accept chain=input limit=50,5:packet protocol=icmp
add action=add-src-to-address-list address-list="rede suporte" \
    address-list-timeout=5h chain=input dst-port=1981 protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="Fasttrack TCP" \
    dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack UDP" \
    dst-port=53 hw-offload=yes protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN
add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=\
    10.80.81.3 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 protocol=tcp to-addresses=\
    10.80.81.4 to-ports=8000
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    10.80.81.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    10.80.81.5 to-ports=8001
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    10.80.81.5 to-ports=8000
...
Also the last 3 NATs are redundant.

add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=10.80.81.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=10.80.81.5 to-ports=8001
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=10.80.81.5 to-ports=8000

Who is online

Users browsing this forum: escape214, kot2905 and 25 guests